Now you are assuming an IoT device is connected to internet. The fact is that most network devices are not connected to internet directly so the chance of a device getting hacked is (virtually) zero.
For businesses yes, if their IT dept. is worth something they probably can keep it safe (although even the DoD in the US was hacked this year) and if their IT dept. has some balls they forbid cheap IoT devices on their network
For home IoT devices, the nightmare is about to start.
I have read too much horrorstories to trust any commercial cheap device on my network. The hardest are that 40% of the routers are compromised in the factory or have known vulnerabilities. The same routers that should keep the bad guys out in many homes.
The easiest and stupidest example, heard about upnp? You might not even know what your router and new (NAS or external hdd) device are doing automatically behind your back opening ports because of some stupid commercial upnp protocol that both router and device have. And the funniest part is, no normal computer user knows even whats going on.
But then even normal PC's have become extremely vulnerable.
The PC user self clicking on a malware invested picture/pdf they find in their email or daily newspage.
And frankly it is not even the users fault, it is the software morons that instead of making webapplications and scripting safe they allow an outside script to take over your OS and computer
Who thought of that? To allow a script from a webpage to be allowed to do anything with the OS or hardware. Next PC is going to have a VM and Sandboxie and still need to make backups every month
Oh well, maybe my job makes me paranoid but I think it is getting much worse before it is getting somewhat better, all signs indicate that the IoT devices revolution when it starts with hundreds of million of connected devices might be the end of a workable internet, I hate to be right this time.